Most of the major web browsers have either already disabled third-party cookies by default (Safari and Firefox), or plan to do so in the future (Google). Privacy advocates hope that these moves will usher in a new era of safer web browsing.
But there is a category of web browsers with much weaker protections, where cookies aren’t even required in order to track users across the web: the in-app browser. These browsers have managed to stay out of the mainstream privacy conversation until recent stories involving Meta and TikTok threw them, and their lax privacy standards, into the spotlight.
Many mobile apps will include links to content hosted on the world wide web. Social platforms will show user-posted links to external content, news apps will include links to original sources for stories, and apps with sponsored links will lead users to external vendors’ websites to browse and buy products.
Since this content must be accessed by a web browser, many apps will prompt users to open those links in a third-party browser (the familiar popup where your phone asks you which of your browsers (or other apps) you want to use to open a link).
But some app developers have built their own web browsers which launch within their own apps. When a user clicks a link, they’ll be led straight to the relevant page on that in-app browser. But they can then keep browsing the web, clicking on further links, taking them away from the original content.
Because the user hasn’t left the original app, it’s possible for the owner of that app to track their web activity – not only the original page they land on when they open up the in-app browser, but any further activity too. And this tracking may be much more invasive than standard cookie-based tracking, with the app even able to tell what users have clicked on, and what they’ve typed into forms – which could include sensitive information like passwords and credit card details.
The Technical Detail
The security risk of in-app browsers first came to mainstream attention after a report from Felix Krause, founder of Fastlane, a tool to help developers build mobile apps.
The fact that this code exists doesn’t mean that TikTok is saving that data or using it for malicious purposes (and TikTok maintains that the code is “solely used for debugging, troubleshooting, and performance monitoring”). But Krause says it’s impossible to know for sure how that data is used, meaning users have to take TikTok’s word for it that the company isn’t tracking their in-app browsing.
It’s important to note that not all in-app browsers are the same, or present the same security risks.
Many apps will use tools provided by the mobile operating systems themselves, which don’t have the same security risks. Apple for example encourages developers to use ‘SFSafariViewController’, a standardised way of presenting web pages within an app which prevents tracking.
The Pros and Cons
In-app browsers do have benefits for consumers.
They can allow faster loading times (though they don’t always), since a separate web browser app doesn’t have to be opened up. They can also make for a more streamlined user experience, keeping the user within one window without the need to jump back and forth between the original app and their web browser.
And while TikTok and Instagram are hardly struggling for attention, smaller apps would argue that in-app browsers allow them to link to external content without totally losing their users. In-app browsers are much more limited than standard browsers – for example, they don’t typically have an address bar, making web browsing much clunkier. This means users are more likely to click on a link, view the external content, and then return to their original app, rather than continuing browsing other third-party content.
The closed systems enabled by in-app browsers also have benefits for advertisers. While restrictions on mobile advertising IDs (MAIDs) have made measurement and attribution much more difficult, mobile web browsers help circumvent these issues. Whenever a Facebook user clicks on an ad and then views the content on the in-app browser, Facebook can track the click and see when a purchase or download is completed.
But the cons are, as described above, the privacy concerns.
Most apps give users a choice of whether to open links in-app, or via an external browser, but that’s not always the case. TikTok notably doesn’t give users a choice, using the in-app browser by default.